Historically, there has been no love lost between software developers and security teams. Dev teams are frustrated by the restrictive nature of the security standards placed on them as they often hinder rapid application development. On the flip side, security teams see developers as one of the top threats to the integrity and success of their security strategy.
The never-ending race to deliver more value to customers, at a faster rate, however, is causing dev and security teams to work together. The proliferation of DevOps, to enable accelerated development of software and apps, is a primary driver of this as it requires cross-functional collaboration and security reevaluation.
While DevOps breaks down critical barriers between development and operations, and often provides opportunities for organizations, it also introduces new challenges for security teams. There are three hurdles that security teams will need to jump over in order to integrate and enable DevOps:
1. Increased Pace
DevOps, at its core, enables an entirely new pace of development, which security must keep up with. Dev cycles have historically been, in some cases, months long. In this shift, they are now as short as weeks or days. As a result, a refactored security solution and toolset needs to support a continuous delivery flow and must be easy to integrate and maintain. Additional features, like state-of-the-art threat modeling and real-time vulnerability alerts are required, such as the capabilities of a next-gen WAF. Take the ThreatX WAF, for example, which is easy to deploy, configure, and maintain, and leverages behavioral analysis to effectively analyze risks in real-time.
2. BARRIER Removal
The success of DevOps is highly dependent upon the break down of silos to facilitate cross-functional, collaborative teams. For true (and effective) DevSecOps, security, development, and operations must work cohesively in pursuit of a common set of goals. The position of security teams should shift from roadblock to consultant, guiding developers to fix bad code.
3. new Skills
In order for security technology to integrate properly into the dev process, and to support a desired level of agility, security teams are often being asked to learn new skills, including API and coding.
With these three key characteristics in mind, security teams can mindfully evaluate their security programs and propose program shifts that truly support the growth and success of DevOps. Ultimately, security teams need to look at DevOps through the same lens as a customer-facing web app by establishing a set of standards and best practices.
You can read this content in greater detail in the original article posted on DevOps Digest.